Data Protection and Privacy
Guildhawk employs a range of methods to ensure that we maintain the highest levels of security and confidentiality for our clients. We also take it upon ourselves to research the latest developments within the industry and in the security sector. Given our close links with the City of London Police and the experience of Guildhawk’s Advisory Board Member David Clarke in the City of London Police and the British Transport Police, we also stay regularly updated on their security techniques and adopt their recommendations for enhanced security practices.
We have a variety of trusted partners who act in an advisory capacity regarding security and asset protections. These include Amethyst Risk Management Ltd and Aspen Security Consultants. Additionally we draw upon the experience of a network of cultural advisors ensuring up to date geographical risk awareness.
Jurga Zilinskiene is an elected board member for our Trade Body, the Association of Translation Companies (ATC), and is influential in dictating the industry standards for security and confidentiality which through association with EUATC covers translation policy at EU institutional level. Exposure to new ideas and techniques means we strive to lead in the adoption of best practice in all security issues. Guildhawk has close links with a number of global security companies and we receive regular advice from them.
We are confident that our levels of security and access control conform to the highest standards. We have invested heavily in building secure and robust infrastructure, and on the back of it have won contracts with multinational firms such as BAE Systems, Bloomberg and General Dynamics, all of whom are happy for Guildhawk to be a key supplier of linguistic services which entails handling materials of a highly sensitive nature.
2. Data Controller
Claire Brown, Operations Manager, is the Data Protection Officer of Guildhawk with a remit to oversee all of the firm’s operations. She can be contacted at Claire.Brown@guildhawk.com.
3. Purpose of processing data
Guildhawk may process data that includes personal data of its Clients, Prospective Clients, Employees and Suppliers. This data may include but not be limited to the following areas:
- First and Last name
- Bank account information
- Medical records
- Passport information
- Personal email address
- Credit card information
- Photos and videos
- Usernames and passwords
Guildhawk may process data that includes sensitive personal data including but not limited to the following areas:
- Data consisting of racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Data concerning health
- Data concerning a natural person’s sex life or sexual orientation
The Terms and Conditions for staff, suppliers and clients clearly state what the purpose of processing data is under the following clauses:
Staff Handbook: Appendix I: GDPR Consent Form
Supplier Terms & Conditions: Appendix A: Privacy Notice
Client Terms & Conditions: Section 12, in particular clause 12.7
Clients are also issued with a Privacy Statement which forms part of the auto-generated quote template sent at point of enquiry:
The Company and the Client shall ensure that all reasonable precautions are taken to ensure that the contents of all data remain confidential and any such data is only disclosed to those parties authorised to receive it. The Client accepts that the Company will act as an authorised data processor of the data they provide to the Company. The client shall inform the Company if the data requiring transfer should be classified as Restricted and thus be subject to Restricted data transfer and storage process as specified in the Company’s Information Classification and Handling Policy. Personal data as defined under the EU General Data Protection Regulation (GDPR) should be classified as Restricted. The Client accepts that any data provided to the Company will be processed for the purposes of translation or any other linguistic services the Client has contracted the Company to perform, research relating to such linguistic services and project management associated with such linguistic services. The data will be accessed by staff of the Company and those third party suppliers contracted to provide linguistic services to the Company. The Company remains solely and fully responsible for the handling and processing of any Client’s data and shall ensure that any third party suppliers fully comply with the confidentiality and any other data handling restrictions under the GDPR, other legal regulations or Client instructions. The Client accepts that if data should not be transferred outside of countries either falling under GDPR legislation or an approved third country then the Company must be informed of this at point of quote confirmation. The Company will retain client records for a maximum of 3 years. The Company will comply with any requests for early data destruction under the GDPR right to be forgotten policy. Any such requests must be made in writing to the Company’s Data Protection Officer.
4. Lawful Basis of processing data
Guildhawk will only process data when one of the below conditions has been met:
i) Explicit consent has been obtained from the individual.
ii) Legitimate Interest has been established through the individual requesting services either directly from Guildhawk or by expressing interest in receiving information on language services through a third party marketing agency.
iii) A contract has been signed with the individual.
iv) The processing is necessary under the vital interests argument.
v) The processing is necessary to comply with a legal obligation.
vi) The processing is necessary to perform a task in the public interest.
5. Preventative Measures
Guildhawk has in place the following data integrity, storage and transfer processes:
All data is stored in servers that are located in the City
of London, UK, with data-storage centres in the Midlands, UK.
Established process and policies are in existence for Classification, Transfer and Destruction of information.
Emails are encrypted using FIPS 140-2 certified software.
Annual penetration tests are undertaken.
All data processing facilities have appropriate anti-malware and anti-virus protection.
Data is transferred using either the Guildhawk email domain or via Box, an ISO27001 certified data sharing site.
If required by clients, we will add restrictions to the selection criteria for linguists – for example to prevent the assignment of a linguist who has previously worked with a sector competitor, to arrange for linguists to be based within a specific jurisdiction for particular assignments, or to prevent data from being transmitted outside the EEA. This action will follow an overall risk assessment of the project agreed between our clients and Guildhawk.
Physical security is also important for our staff (including linguists) and the safety of clients and their assignments. Our Head Office in London is secured with fire alarms and CCTV cameras and a 24/7 monitored central-station alarm systems compliant with The Association of Chief Police Officers (APCO) guidelines. We regularly liaise with the City of London Police for guidance and recommendations on further security measures.
6. Data Subject’s rights
Data subjects have the right to request access to their personal data. Any Data Subject Access Requests must be made in writing to the Data Protection Officer who will confirm the necessary information within 30 working days from the date the request was received.
The Company will also comply with any requests for early data destruction under the GDPR right to be forgotten policy. Any such requests must be made in writing to the Company’s Data Protection Officer.
Guildhawk maintains comprehensive insurance including professional indemnity and cover in the event of terrorist attacks and data breaches. This cover also extends to linguists working on projects under our instruction.
Guildhawk has been certified under the ISO 27001:2013 framework since 2014 under certificate number CN/15521IS.